Commit graph

20095 commits

Author SHA1 Message Date
Earl Warren b976c7f53f Merge pull request 'Update dependency webpack to v5.94.0 [SECURITY] (v8.0/forgejo)' (#5202) from renovate/v8.0/forgejo-npm-webpack-vulnerability into v8.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5202
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-09-03 08:36:41 +00:00
Renovate Bot 40cf3c3187 Update dependency webpack to v5.94.0 [SECURITY] 2024-09-02 06:22:35 +00:00
Earl Warren e582bdab4d Merge pull request '[v8.0/forgejo] i18n: update of translations from Codeberg Translate' (#5161) from bp-v8.0/forgejo-45198ce into v8.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5161
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2024-08-30 12:11:45 +00:00
Codeberg Translate b73fd55374 i18n: update of translations from Codeberg Translate (#5070)
Translations update from [Codeberg Translate](https://translate.codeberg.org) for [Forgejo/forgejo](https://translate.codeberg.org/projects/forgejo/forgejo/).

Current translation status:

![Weblate translation status](https://translate.codeberg.org/widget/forgejo/forgejo/horizontal-auto.svg)

<!--start release-notes-assistant-->

## Draft release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Localization
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/5070): <!--number 5070 --><!--line 0 --><!--description aTE4bjogdXBkYXRlIG9mIHRyYW5zbGF0aW9ucyBmcm9tIENvZGViZXJnIFRyYW5zbGF0ZQ==-->i18n: update of translations from Codeberg Translate<!--description-->
<!--end release-notes-assistant-->

Co-authored-by: earl-warren <earl-warren@users.noreply.translate.codeberg.org>
Co-authored-by: Xinayder <Xinayder@users.noreply.translate.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-authored-by: Kita Ikuyo <searinminecraft@courvix.com>
Co-authored-by: Fjuro <fjuro@alius.cz>
Co-authored-by: 0ko <0ko@users.noreply.translate.codeberg.org>
Co-authored-by: hugoalh <hugoalh@users.noreply.translate.codeberg.org>
Co-authored-by: Outbreak2096 <Outbreak2096@users.noreply.translate.codeberg.org>
Co-authored-by: Eryk Michalak <gnu.ewm@protonmail.com>
Co-authored-by: Caesar Schinas <caesar@caesarschinas.com>
Co-authored-by: hankskyjames777 <hankskyjames777@users.noreply.translate.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5070
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Codeberg Translate <translate@noreply.codeberg.org>
Co-committed-by: Codeberg Translate <translate@noreply.codeberg.org>
(cherry picked from commit 45198cef64)
2024-08-29 04:55:27 +00:00
Earl Warren 949e415fd3 Merge pull request '[gitea] week 2024-35-v8.0 cherry pick (gitea/main -> v8.0/forgejo)' (#5112) from earl-warren/wcp/2024-35-v8.0 into v8.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5112
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-28 10:31:23 +00:00
Gusted 9969870cf5 Merge pull request '[v8.0/forgejo] [SEC] Ensure propagation of API scopes for Conan and Container authentication' (#5151) from bp-v8.0/forgejo-5a871f6 into v8.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5151
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-28 10:08:38 +00:00
Gusted 02db188a50 [SEC] Ensure propagation of API scopes for Conan and Container authentication
- The Conan and Container packages use a different type of
authentication. It first authenticates via the regular way (api tokens
or user:password, handled via `auth.Basic`) and then generates a JWT
token that is used by the package software (such as Docker) to do the
action they wanted to do. This JWT token didn't properly propagate the
API scopes that the token was generated for, and thus could lead to a
'scope escalation' within the Conan and Container packages, read
access to write access.
- Store the API scope in the JWT token, so it can be propagated on
subsequent calls that uses that JWT token.
- Integration test added.
- Resolves #5128

(cherry picked from commit 5a871f6095)
2024-08-28 08:45:05 +00:00
Earl Warren d3ff96ef86 Merge pull request '[v8.0/forgejo] fix: correct doctor commands and rename to forgejo' (#5135) from bp-v8.0/forgejo-94af0e5 into v8.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5135
Reviewed-by: Otto <otto@codeberg.org>
2024-08-27 06:13:59 +00:00
Otto Richter 5faa51a16b fix: correct doctor commands and rename to forgejo
The syntax is `doctor check --run` , see https://forgejo.org/docs/latest/admin/command-line/#doctor

(cherry picked from commit 94af0e53e5)
2024-08-27 01:44:08 +00:00
0ko 06917ce8a0 Merge pull request '[v8.0/forgejo] i18n: update of translations from Codeberg Translate' (#5116) from bp-v8.0/forgejo-d30be16 into v8.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5116
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2024-08-25 18:58:13 +00:00
Codeberg Translate 619f2faf98 i18n: update of translations from Codeberg Translate (#4984)
Translations update from [Codeberg Translate](https://translate.codeberg.org) for [Forgejo/forgejo](https://translate.codeberg.org/projects/forgejo/forgejo/).

Current translation status:

![Weblate translation status](https://translate.codeberg.org/widget/forgejo/forgejo/horizontal-auto.svg)

<!--start release-notes-assistant-->

## Draft release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Localization
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/4984): <!--number 4984 --><!--line 0 --><!--description aTE4bjogdXBkYXRlIG9mIHRyYW5zbGF0aW9ucyBmcm9tIENvZGViZXJnIFRyYW5zbGF0ZQ==-->i18n: update of translations from Codeberg Translate<!--description-->
<!--end release-notes-assistant-->

Co-authored-by: earl-warren <earl-warren@users.noreply.translate.codeberg.org>
Co-authored-by: qui <qui@users.noreply.translate.codeberg.org>
Co-authored-by: hahahahacker2009 <hahahahacker2009@users.noreply.translate.codeberg.org>
Co-authored-by: Fjuro <fjuro@alius.cz>
Co-authored-by: Outbreak2096 <Outbreak2096@users.noreply.translate.codeberg.org>
Co-authored-by: Wuzzy <Wuzzy@users.noreply.translate.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-authored-by: fnetX <otto@codeberg.org>
Co-authored-by: Panagiotis \"Ivory\" Vasilopoulos <git@n0toose.net>
Co-authored-by: emansije <emansije@users.noreply.translate.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4984
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Codeberg Translate <translate@noreply.codeberg.org>
Co-committed-by: Codeberg Translate <translate@noreply.codeberg.org>
(cherry picked from commit d30be160c9)
2024-08-25 18:00:17 +00:00
0ko 4e88e3590b Merge pull request '[v8.0/forgejo] i18n: update of translations from Codeberg Translate' (#5114) from bp-v8.0/forgejo-17fa750 into v8.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5114
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2024-08-25 17:31:44 +00:00
Codeberg Translate c13d13f7cc i18n: update of translations from Codeberg Translate (#4889)
Translations update from [Codeberg Translate](https://translate.codeberg.org) for [Forgejo/forgejo](https://translate.codeberg.org/projects/forgejo/forgejo/).

Current translation status:

![Weblate translation status](https://translate.codeberg.org/widget/forgejo/forgejo/horizontal-auto.svg)

Co-authored-by: earl-warren <earl-warren@users.noreply.translate.codeberg.org>
Co-authored-by: Outbreak2096 <Outbreak2096@users.noreply.translate.codeberg.org>
Co-authored-by: Panagiotis \"Ivory\" Vasilopoulos <git@n0toose.net>
Co-authored-by: dragon <dragon@users.noreply.translate.codeberg.org>
Co-authored-by: hoovad <hoovad@users.noreply.translate.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-authored-by: hankskyjames777 <hankskyjames777@users.noreply.translate.codeberg.org>
Co-authored-by: emansije <emansije@users.noreply.translate.codeberg.org>
Co-authored-by: hugoalh <hugoalh@users.noreply.translate.codeberg.org>
Co-authored-by: zub <zub@users.noreply.translate.codeberg.org>
Co-authored-by: Fjuro <fjuro@alius.cz>
Co-authored-by: 0ko <0ko@users.noreply.translate.codeberg.org>
Co-authored-by: Kita Ikuyo <searinminecraft@courvix.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4889
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Codeberg Translate <translate@noreply.codeberg.org>
Co-committed-by: Codeberg Translate <translate@noreply.codeberg.org>
(cherry picked from commit 17fa75074d)
2024-08-25 15:55:17 +00:00
Earl Warren 930e718afe
chore(release-notes): weekly cherry-pick week 2024-35-v8.0 2024-08-25 17:54:29 +02:00
Lunny Xiao bd9edb6fed
Use correct function name (#31887)
(cherry picked from commit 0299bb97f038685aee794a992fa4a9f5cf83652e)
2024-08-25 17:32:50 +02:00
Rowan Bohde 41281fc80a
add CfTurnstileSitekey context data to all captcha templates (#31874)
In the OpenID flows, the "CfTurnstileSitekey" wasn't populated, which
caused those flows to fail if using Turnstile as the Captcha
implementation.

This adds the missing context variables, allowing Turnstile to be used
in the OpenID flows.

(cherry picked from commit 0d24c9f383255605d68a92cc5f087c3f16a1d735)
2024-08-25 17:15:25 +02:00
Earl Warren 014367158f Merge pull request 'Update module code.forgejo.org/forgejo/act to v1.21.2 (v8.0/forgejo)' (#5091) from renovate/v8.0/forgejo-code.forgejo.org-forgejo-act-1.x into v8.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5091
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-24 06:27:29 +00:00
Renovate Bot 92cacdcdf8 Update module code.forgejo.org/forgejo/act to v1.21.2 2024-08-24 05:44:23 +00:00
Earl Warren 631d49e243 Merge pull request '[v8.0/forgejo] chore(dependency): use forgejo/act instead of gitea/act' (#5080) from earl-warren/forgejo:wip-v8.0-act into v8.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5080
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-08-23 07:01:26 +00:00
Earl Warren cc4c430adc
chore(dependency): use forgejo/act instead of gitea/act
The subset of ACT used by Forgejo was the same as Gitea until
https://code.forgejo.org/forgejo/act/pulls/45. Since it is now
different, use the Forgejo soft-fork instead of the Gitea soft-fork.

Refs: https://codeberg.org/forgejo/forgejo/issues/4789
(cherry picked from commit 41d13ee44b)

Conflicts:
	go.sum
  trivial context conflict
2024-08-23 08:21:14 +02:00
Otto 47bd4727bc Merge pull request '[PORT] Fix automerge on AGit PRs (gitea#31881)' (#5053) from gusted/forgejo-bp-gt-31881 into v8.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5053
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Reviewed-by: Otto <otto@codeberg.org>
2024-08-21 18:35:27 +00:00
Earl Warren 60d518e733 Merge pull request '[v8.0/forgejo] [gitea] week 2024-34 cherry pick (gitea/main -> forgejo)' (#5050) from bp-v8.0/forgejo-0fd2254-a8e25e9-1dfa115-385718d-d550042-ebfdc65-7f1db1d into v8.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5050
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-21 15:08:29 +00:00
Giteabot 75fd8f6445
[PORT] Fix agit automerge (gitea#31881)
Backport https://github.com/go-gitea/gitea/pull/31207 by @lunny

Fix https://github.com/go-gitea/gitea/issues/31134

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>

---
Conflict resolution: none
Modification: `s/assert.NoError/require.NoError`

(cherry picked from commit a0d1630700073785baff4ebc3031b0480d44cc63)
2024-08-21 17:05:34 +02:00
Earl Warren 4e5774fef7
chore(release-notes): weekly cherry-pick week 2024-34-v8.0 2024-08-21 13:06:07 +02:00
yp05327 c5acd41146
Add missing repository type filter parameters to pager (#31832)
Fix #31807

ps: the newly added params's value will be changed.
When the first time you selected the filter, the values of params will
be `0` or `1`
But in pager it will be `true` or `false`.
So do we have `boolToInt` function?

(cherry picked from commit 7092402a2db255ecde2c20574b973fb632c16d2e)

Conflicts:
	routers/web/org/home.go
  trivial conflict s/pager.AddParam/pager.AddParamString/
(cherry picked from commit a8e25e907c)
2024-08-21 13:03:36 +02:00
Adrian Hirt 9a142e3fd1
Fix overflowing content in action run log (#31842)
When a long line with characters such as dots is returned by a step in
an action (e.g. by the output of the Ruby on Rails test runner), it
overflows the log container, causing the page to scroll sideways.

This PR adds the CSS `overflow-wrap: anywhere;` to the
`.job-step-section .job-step-logs .job-log-line .log-msg` selector,
which causes such lines to wrap as well

(cherry picked from commit 61aaf3440142d225802e3e9ce3db28bcf71f5a7e)
(cherry picked from commit 1dfa11551c)
2024-08-21 13:03:36 +02:00
Jason Song d5fec46de7
Avoid returning without written ctx when posting PR (#31843)
Fix #31625.

If `pull_service.NewPullRequest` return an error which misses each `if`
check, `CompareAndPullRequestPost` will return immediately, since it
doesn't write the HTTP response, a 200 response with empty body will be
sent to clients.

```go
	if err := pull_service.NewPullRequest(ctx, repo, pullIssue, labelIDs, attachments, pullRequest, assigneeIDs); err != nil {
		if repo_model.IsErrUserDoesNotHaveAccessToRepo(err) {
			ctx.Error(http.StatusBadRequest, "UserDoesNotHaveAccessToRepo", err.Error())
		} else if git.IsErrPushRejected(err) {
			// ...
			ctx.JSONError(flashError)
		} else if errors.Is(err, user_model.ErrBlockedUser) {
			// ...
			ctx.JSONError(flashError)
		} else if errors.Is(err, issues_model.ErrMustCollaborator) {
			// ...
			ctx.JSONError(flashError)
		}
		return
	}
```

Not sure what kind of error can cause it to happen, so this PR just
expose it. And we can fix it when users report that creating PRs failed
with error responses.

It's all my guess since I cannot reproduce the problem, but even if it's
not related, the code here needs to be improved.

(cherry picked from commit acd7053e9d4968e8b9812ab379be9027ac8e7771)

Conflicts:
	routers/web/repo/pull.go
  trivial context conflict
(cherry picked from commit 385718dd78)
2024-08-21 13:03:36 +02:00
Lunny Xiao e442e71e03
Fix panic of ssh public key page after deletion of auth source (#31829)
Fix #31730

This PR rewrote the function `PublicKeysAreExternallyManaged` with a
simple test. The new function removed the loop to make it more readable.

(cherry picked from commit b491b2104f83ee8fc4956c099c427b339291b3be)
(cherry picked from commit d5500422c9)
2024-08-21 13:03:36 +02:00
Jason Song cd7d0166f2 Show lock owner instead of repo owner on LFS setting page (#31788)
Fix #31784.

Before:

<img width="1648" alt="image"
src="https://github.com/user-attachments/assets/03f32545-4a85-42ed-bafc-2b193a5d8023">

After:

<img width="1653" alt="image"
src="https://github.com/user-attachments/assets/e5bcaf93-49cb-421f-aac1-5122bc488b02">

(cherry picked from commit 0470646d46f90c20f40fde718be6ef8d8c84ee2c)
(cherry picked from commit 7f1db1df3e)
2024-08-21 10:57:57 +00:00
Otto e3afdb8bc7 Merge pull request '[PORT] Fix overflow for images on project cards (gitea#31683)' (#5032) from gusted/forgejo-bp-5029 into v8.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5032
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
2024-08-20 17:46:09 +00:00
Gusted 4b4613bd9c
[UI] Remove snapping for images on project cards
Remove the snapping of the images on the projects cards, the images are
way too small to notice that when scrolling you're being snapped to
these images and when you do notice it, it doesn't make sense as you
wouldn't expect it to be snapped.

(cherry picked from commit 0764b7c18b)
2024-08-20 18:13:54 +02:00
Simon Priet e827bfa88a
[PORT] Scroll images in project issues separately from the remaining issue (gitea#31683)
As discussed in https://github.com/go-gitea/gitea/issues/31667 &
https://github.com/go-gitea/gitea/issues/26561, when a card on a Project
contains images, they can overflow the card on its containing column.
This aims to fix this issue via snapping scrollbars.

---
Conflict resolution: none

(cherry picked from commit fe7c9416777243264e8482d3af29e30c2b671074)
(cherry picked from commit 8e46efef95)
2024-08-20 18:13:54 +02:00
Otto 292df29f42 Merge pull request '[v8.0/forgejo] [UI] Adjust trailing EOL behavior for empty file' (#5028) from bp-v8.0/forgejo-e9a89a1 into v8.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5028
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-20 14:33:59 +00:00
Gusted 69dfe81d0e [UI] Adjust trailing EOL behavior for empty file
- Follow up #4835
- Currently for empty files (file size is shown in the file header) the
"No EOL" information is being shown, even though it doesn't really
make sense to show that for empty files.
- Add integration test.
- Ref: https://codeberg.org/Codeberg/Community/issues/1612#issuecomment-2169437

(cherry picked from commit e9a89a188e)
2024-08-20 13:42:33 +00:00
Gusted 05af474e7a Merge pull request '[v8.0/forgejo] [UI] Fix misalignment of authors for repo acctivity' (#5006) from bp-v8.0/forgejo-72f4130 into v8.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5006
Reviewed-by: Otto <otto@codeberg.org>
2024-08-18 21:06:22 +00:00
Gusted 50db6ef5df [UI] Fix misalignment of authors for repo acctivity
- Regression of #4571
- We aren't showing the ticks generated by chartjs, because we want to
show the avatar of the person instead. You can't *realy* disable that
tick, so instead I opted to make them transparent in #4571, however they
still affected the generation of ticks so if enough authors were being
shown, for some the ticks were being skipped. Adjust the settings to
make sure they are always being shown.
- Resolves https://codeberg.org/forgejo/forgejo/issues/4982

(cherry picked from commit 72f41306c2)
2024-08-18 20:12:35 +00:00
Gusted 9d2ea1ef5d Merge pull request '[v8.0/forgejo] [BUG] Make logout event non-blocking' (#4981) from bp-v8.0/forgejo-9c5c088 into v8.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4981
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-16 23:22:31 +00:00
Gusted 068b80814b [BUG] Make logout event non-blocking
- When people click on the logout button, a event is sent to all
browser tabs (actually to a shared worker) to notify them of this
logout. This is done in a blocking fashion, to ensure every registered
channel (which realistically should be one for every user because of the
shared worker) for a user receives this message. While doing this, it
locks the mutex for the eventsource module.
- Codeberg is currently observing a deadlock that's caused by this
blocking behavior, a channel isn't receiving the logout event. We
currently don't have a good theory of why this is being caused. This in
turn is causing that the logout functionality is no longer working and
people no longer receive notifications, unless they refresh the page.
- This patchs makes this message non-blocking and thus making it
consistent with the other messages. We don't see a good reason why this
specific event needs to be blocking and the commit introducing it
doesn't offer a rationale either.

(cherry picked from commit 9c5c08859d)
2024-08-16 14:21:39 +00:00
Otto 08724823f4 Merge pull request '[v8.0/forgejo] Revert "Prevent allow/reject reviews on merged/closed PRs"' (#4965) from caesar/forgejo:bp/4907 into v8.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4965
Reviewed-by: Otto <otto@codeberg.org>
2024-08-15 10:45:38 +00:00
Caesar Schinas 502948960e
add release notes
(cherry picked from commit 24418da690)
2024-08-15 10:48:09 +01:00
Caesar Schinas dfd3ac01d7
Revert "Prevent allow/reject reviews on merged/closed PRs"
This reverts commit 4ed372af13.
This change from Gitea was not considered by the Forgejo UI team and there is a consensus that it feels like a regression.

The test which was added in that commit is kept and modified to test that reviews can successfully be submitted on closed and merged PRs.

Closes forgejo/design#11

(cherry picked from commit 65c2595f26)
2024-08-15 10:47:38 +01:00
Michael Kriese 35c206317b Merge pull request '[v8.0/forgejo] fix: Run full PR checks on agit push' (#4951) from bp-v8.0/forgejo-2d05e92 into v8.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4951
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-08-13 19:19:56 +00:00
Michael Kriese f7858425bb fix(agit): run full pr checks on force-push
(cherry picked from commit 2d05e922a2)
2024-08-13 18:26:41 +00:00
Gusted 7b31a541c0 Merge pull request '[v8.0/forgejo] fix(ui): allow unreacting from comment popover' (#4919) from bp-v8.0/forgejo-b8a5ca2 into v8.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4919
Reviewed-by: Otto <otto@codeberg.org>
2024-08-10 12:49:39 +00:00
Solomon Victorino df2e85f667 fix(ui): allow unreacting from comment popover
- fix selectors for hasReacted
- don't send empty HTML on reaction errors
- add E2E test

(cherry picked from commit b8a5ca2c40)
2024-08-10 09:42:40 +00:00
Earl Warren 7acc1d98d2 Merge pull request '[v8.0/forgejo] [BUG] Return blocking errors as JSON errors' (#4918) from bp-v8.0/forgejo-d97cf0e into v8.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4918
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-10 06:42:17 +00:00
Gusted d9010f5cfa [BUG] Return blocking errors as JSON errors
- These endspoints are since b71cb7acdc
JSON-based and should therefore return JSON errors.
- Integration tests adjusted.

(cherry picked from commit d97cf0e854)
2024-08-10 05:53:07 +00:00
Gusted 4d0be867a2 Merge pull request '[v8.0/forgejo] disallow javascript: URI in the repository description' (#4901) from bp-v8.0/forgejo-bb448f3 into v8.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4901
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-09 06:59:16 +00:00
Gusted dccf180307 disallow javascript: URI in the repository description
- Fixes an XSS that was introduced in
https://codeberg.org/forgejo/forgejo/pulls/1433
- This XSS allows for `href`s in anchor elements to be set to a
`javascript:` uri in the repository description, which would upon
clicking (and not upon loading) the anchor element execute the specified
javascript in that uri.
- [`AllowStandardURLs`](https://pkg.go.dev/github.com/microcosm-cc/bluemonday#Policy.AllowStandardURLs) is now called for the repository description
policy, which ensures that URIs in anchor elements are `mailto:`,
`http://` or `https://` and thereby disallowing the `javascript:` URI.
It also now allows non-relative links and sets `rel="nofollow"` on
anchor elements.
- Unit test added.

(cherry picked from commit bb448f3dc2)
2024-08-09 05:57:21 +00:00
0ko 1c0043efd6 Merge pull request 'i18n: backport of #4668 and #4783 to v8' (#4881) from 0ko/forgejo:i18n-backport-20240808-v8 into v8.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4881
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-08 09:41:04 +00:00